If you’re a software developer and you’ve wanted to learn Squeak, it’s been a struggle for a while now.

Edit 4-10-2017: Re. the paragraph below on Guzdial’s books, I recommend “Squeak: Object-Oriented Design with Multimedia Applications” with some caution now, because the Mac version of Squeak 2.8 will no longer work on a Mac. In fact, it hasn’t worked on a Mac since OS X Lion (Version 10.7), since Apple got rid of Rosetta. The Windows version of 2.8 may still work on a modern version of Windows. If you’re a Mac user, you can run Windows inside of a virtual machine, like VirtualBox, or a commercial VM. The Windows version of 2.8 might also work with Wine (a multi-platform, open source package that allows you to run some Windows programs in OS X or Linux), but I haven’t tried it.

It used to be possible to get Squeak 2.8 online, but I’m not sure if that’s possible anymore. Many of the examples in the book will probably still work on a modern Squeak version, since they just deal with basic Smalltalk features, but some examples will likely no longer work.

In 2001 and 2002 Mark Guzdial wrote two books on Squeak: Squeak: Object-Oriented Design with Multimedia Applications, and Squeak: Open Personal Computing and Multimedia (co-authored with Kim Rose). These are two books I found that have a system/programmer perspective on it. They’re both out of print, but last I checked they’re still available from Amazon.com. A lot of the knowledge in these two books is still relevant to Squeak, but they are in a sense out of date, because they were written for earlier versions, and some of the features Guzdial talks about are either broken now or non-existent in the current version, and there are tools that are in common use now in Squeak that didn’t exist at the time he wrote them. By the way, if you get these books I strongly recommend that you get Squeak version 2.8, because it’s the version the books talk about. If you can, you might want to get the CD with the book (some of the used editions don’t have it). It has version 2.8 on it.

Edit 10-19-2011: Just for clarification, I’ll add that “Squeak: Object-Oriented Design with Multimedia Applications” is a book you can get if you’re trying to learn how to use Squeak, and learn the Smalltalk language. It guides you through the features of the system, and contains exercises to help you learn what you can do in it. “Squeak: Open Personal Computing and Multimedia” is more of a philosophical book, talking about why Squeak was created, and what it represents in the world.

Just today (Sept. 14, 2007) I heard about a new book that’s been published called “Squeak By Example”, written by Andrew Black, Stephane Ducasse, Oscar Nierstrasz, Damien Pollet, Damien Cassou, and Marcus Denker. It’s available as a free PDF. The book is released under the Creative Commons Attribution-ShareAlike license. It is also open source.

This is a developer-focused book. If you’re looking for a book that looks at Squeak from a child’s/educator’s perspective, I’d recommend any of the other books on Squeak, such as Squeak: Programming With Robots, by Stephane Ducasse.

As I’ve said before, there are tools you can run inside of Squeak. “Squeak by Example” discusses many of the ones developers will need to know about. Each tool also has an object model that is accessible from inside your own code, which is also discussed.

It talks about the system, or kernel objects, such as collections, streams, and the meta-object model. It talks about message passing, which is the mechanism by which you and objects communicate with other objects.

It teaches the basics of how to use Squeak in a nice level of detail. One of the things I haven’t liked about most of the Squeak tutorials out there is they ignore the basic, beginner-level knowledge someone new to it needs to know, like how to bring up menus, what menus are available, and what you can do with them, not to mention how to install and run it (though this is pretty easy). This book allows you to ease into it, showing you how to install Squeak, and how to use the mouse with it.

I’ve been itching to recommend this tutorial, done by Stephan Wessels, but I haven’t because it skips the beginner basics. Now I can, since you can learn these basics elsewhere. He takes you step by step through a complete development example, creating a “laser” game in Morphic, a graphical objects/UI framework in Squeak.

Just as a side note, when I first saw Stephan’s tutorial it reminded me of Laser Chess, by Mike Duppong, a game that was originally published in Compute!’s Atari ST Disk & Magazine 20 years ago (the multi-platform Compute! Magazine published ports of it for Commodore, Atari 8-bit, and Apple II computers).

Anyway, enough reminiscing. Here are some other tutorials on the Squeak Wiki. Like I said, they typically don’t cover the beginner basics, but once you know them, you’ll probably find other useful information here.

For you web developers out there, once you learn the stuff I mentioned above, you can move on to the Seaside tutorials.

Lispers have long felt that it’s very difficult to get lay programmers to understand Lisp, because there’s no common context to help people relate to its unique syntax and powerful features. Slava went against the grain and managed to pull it off. His message is “XML = Lisp with angle brackets”. Or, put another way, “You’re soaking in it!” Are you using Ant? Are you using Hibernate and/or Spring? Are you using CodeSmith to generate code? If so, then you are already halfway to understanding Lisp, because even though the syntax is different, the underlying concepts are the same. XML is your code, and the XML processors are analogous to a Lisp interpreter running your code against some pre-loaded libraries. The difference is Lisp gives you more flexibility and control (ie. more power).

If you don’t understand Lisp macros, but you know how to program in C/C++, he helps you make the transition from C/C++ macros to Lisp macros.

He sums it up with: “Lisp is executable XML with a friendlier syntax.”

Once you understand these analogies, he introduces you to Lisp code.

If Lisp has mystified you, this is a great introduction that will help you get on your way. It won’t make you totally comfortable with it right off the bat, but it will help you get over the initial comprehension barrier. To increase your comprehension, and to learn what Lisp can really do, the following books have come highly recommended to me. I must admit I haven’t read them yet: On Lisp (online book), by Paul Graham; and Practical Common Lisp (online book), by Peter Seibel.

The classic Ruby on Rails demo that usually gets presented is how to build a blog in 15 minutes. This is what you usually get with the RoR screencasts. Ramon Leon at On Smalltalk did a similar demo in his own screencast, “How to build a blog in 15 minutes”, using Smalltalk (Squeak) and Seaside, of course. A key difference between his demo and the one for RoR is he does not save blog entries and comments in a database like MySQL, but rather in OrderedCollections.

I talked to Ramon about using OrderedCollections, and he said that he only uses this scheme for prototypes. It probably would not be safe if it was in production. He suggested people use object database technologies for that, such as Gemstone, Goods, or Magma. Or, if you want to use a relational database, he suggested using Glorp, for object-relational mapping.

Unlike most screencasts, his have no audio, at least right now. It sounds like he’s working on that for future ones.

This is a joyous ride, and I’m still on it! I’ve been rediscovering my “roots”, and moving forward. It’s ironic that technologies that are now decades old hold keys to the future. As I’ve written about previously, I rediscovered Lisp earlier this year. I’ve put that on the shelf for a while, but I intend to get back to it.

Back in August, I dug out some old Smalltalk code I had written for a couple assignments while I was getting my Bachelor’s in computer science, back in the early 1990s. I have fond memories of working with this language. Up to this point I haven’t had a chance to use it in my work, unfortunately. While I was finding videos for my “Great moments in modern computer history” post, I happened upon some videos of Alan Kay dispensing his wisdom, and demonstrating what he had been working on since about the late 90s: Squeak and Croquet. I talked about this a bit in my post, and gave a link to where you could watch one of his presentations. Here are most of the others.

What first interested me in Squeak was its multimedia features. In the online videos of his presentations, Kay used Squeak to create his presentation slides. They look like they might’ve be done in Powerpoint, but they were not. They had integrated video and EToys demonstrations. I liked his demonstrations of what children could do with EToys, where they could draw their own graphical objects, and manipulate them with a little bit of script, or just using their “halos.” Halos are a Squeak concept. Since everything in Squeak is an object, even fundamental graphical elements like menus and windows, they can all be manipulated by the user in standard ways. They can be rotated and moved, made to disappear, etc., just by using the mouse. The same can be done with graphics that a user draws.

As I said before, Kay is worth listening to, even without the cool graphics. One speech to note is the one he gave for his Turing Award, which he received in 2003. I like the title of it: Alan Kay gave a speech when he won his Turing Award in 2003 entitled “The Computer Revolution Hasn’t Happened Yet.” Amen! The Turing Award is like a “lifetime achievement” award in the computer science community. Only people who have made significant contributions to the discipline are awarded it. There’s a list of previous Turing Award winners here. If you’ve gotten an education in computer science you will have seen at least a few of these names.

Croquet is the more recent project he’s worked on. It’s like something I imagined would come along one day: a 3D user interface. Croquet is an expansion of the idea of Smalltalk. The intent is to create a collaborative environment. It uses elements that are already part of MMPGs (Massively Multi-player Games). Each user has an “avatar” in the environment, though you typically have a first-person POV. The team behind Croquet purposely made networking and collaborative computing easy. Like Smalltalk, Croquet is designed to encourage experimentation, and appears to be ideally suited for creating 3D simulations. It’s in beta at this point. While it looks neat, it’s not something I’m particularly interested in, but perhaps one day I’ll get into it. It couldn’t have come at a better time, since people have just been introduced to collaborative computing over the last several years, though as with everything else, what people usually see is a web interface. Croquet is more along the lines of the classical GUI, but upgraded.

Squeak is something I can relate to. It’s a free, open source implementation of the Smalltalk system. It’s the canonical object-oriented programming environment. Every object-oriented language shares many of its features, though the more popular ones lack some of them.

From what I can surmise, Squeak is a lot like the original Smalltalk system developed at Xerox PARC more than 30 years ago, though it’s gotten some updates. It has color, for one thing. 😉 It’s practically its own operating system, though it runs in Windows, Mac, Linux, etc. as an application. The interface is like the desktop-style UI we’re all used to by now (though I’ve heard it’s possible to run it in a “headless” mode, where you can just start it from a command line with no GUI). All code and data are stored as objects in an image file, not unlike the virtualization images used with bona fide operating systems in Virtual PC or VMWare. In reality, it’s probably more like Common Lisp, which also can create image files. Squeak allows users and developers to do unlimited undos to changes to its system. You can in effect “go back in time” to an earlier system state. Conceivably users could even use this feature to go back to an earlier version of Squeak than the one they have (not recommended–it’s better to just download an earlier release of Squeak if that’s what you’re after). It’s a bit like System Restore in Windows XP, and I’m sure Mac OS X has a similar system-wide feature.

Developmer Tools

Edit 10/12/06:

This slipped my mind when I first wrote this post. Squeak comes with its own developer tools that you can select from a sidebar-type menu within the Squeak interface. There’s a lot to get used to with Squeak. Even though it has a desktop-style interface, it doesn’t operate like Windows or the Mac. A difference I noticed right off the bat is you do not double-click on icons to get a GUI program started. Rather you click and drag. Doing this starts the tool right up. Things are not where a newbie Squeaker expects them to be, so you have to have some patience and search for them. After a while you’ll get used to it.

It has an IDE, called a “Browser,” that allows you to see all the classes in the system, plus any that you create. It has its own code editor and debugger.

Developers can create GUI projects (analogous to an application) that run inside Squeak, using a GUI framework called Morphic.

Squeak has its own components for creating presentations as well. They’re fairly easy to set up and get going.

Squeak in education

Alan Kay has long focused on education. His Squeak/EToys demos are targeted at those interested in using technology in education. Squeak used to contain many working multimedia features, and that’s what they were targeted at. I talk about this more below. The educational site for Squeak is here.

Smalltalk

Smalltalk was designed to be a fundamental technology upon which greater technologies could be constructed. For example Croquet is written in Squeak (Smalltalk). The Smalltalk programming language is powerful. Programmers can get things done in fewer lines of code than they could in most other languages. Some of the reasons are it’s a dynamically typed language, it implements method calls as parameterized messages that are passed to objects, it implements closures, and has support for continuations. Lisp shares all of these features except for the object-oriented message passing (though CLOS may have them. I don’t know). Closures are chunks of code that can be passed around between objects, but which maintain enough of the context from where they were created to execute them successfully when the referencing objects choose to run them. An analogy to closures would be anonymous methods in .Net and Java. Below are a couple of examples.

|x|
x := 0.
#(5 4 3) do: [:a | x := x + a].
Transcript show: x.

‘x’ is a temporary variable. The array #(5 4 3), in this case an array literal, has a method called “do:” that takes a closure. The code in between the []’s is the closure. The part you see inside, between the ‘[‘ and the ‘|’ is where parameters for the closure go. The part after the ‘|’ is the logic of the closure. The array’s “do:” method iterates over itself, passing each element into the given closure, using the ‘:a’ parameter. The logic inside the closure adds each element to x, which functions as an accumulator. Transcript outputs the result, which is 12. Note that even though the closure is passed to an object, the local variable ‘x’ functions as though the code in the closure was running in the local scope.

To show the power of Smalltalk, I can shorten this into one line by using another method of the array class:

Transcript show: (#(5 4 3) inject: 0 into: [:a :c | a + c]).

Before I go further I should explain that it’s possible to combine messages for a single method. The above code is an example of this. There is an inherited method available to the array class, called inject:into:. It’s two messages for one method, each message carrying a parameter It’s a method that takes two parameters.

What this does is “inject” 0 into the ‘:a’ parameter when the closure is executed the first time by the array. Thereafter the ‘:a’ parameter functions as a persistent variable inside the closure. The method iterates over the array, passing each element into the closure. The ‘:c’ parameter receives each element of the array. The logic is subtle. Each time the closure is called, what happens in effect is: a := a + c, and the end result of ‘a’ is the result of the method call. This gets passed into Transcript, which outputs the result.

Seaside – the Squeak Enterprise Aubergines Server and IDE

What made me pay more attention to Squeak is a web framework written for it called Seaside. One of the goals of Seaside was to make web programming simple. Avi Bryant, one of the creators of Seaside, has said that he tried to make it as simple as programming a thick client application. To do that, he used continuations. Seaside saves the stack state of the web application for each client session between round trips to the server, automatically. There is no session state to deal with! Secondly, you can have it detect backtracks by the user. An example Avi has used is an airline reservation system, where the user may want to try out a bunch of different itineraries. After going part way through Itinerary A, the user may backtrack either part way or all the way to the beginning of the reservation process, using the Back button on the browser, and pursue alternate itineraries. In the end, the user may want to go back to Itinerary A, and then want to check out. With some web application systems, if the reservation system is written badly, it might try to bill the customer for the last itinerary they tried, like Itinerary C.

The developer can configure Seaside to detect these backtracks, and respond accordingly, so that the customer is always getting what they would expect from the application. Further, there are some powerful packages written for Seaside. There’s Mewa, and Magritte, two meta-language packages. There’s also Scriptaculous, an increasingly popular AJAX package that’s being ported to multiple languages. Meta-languages allow the developer to define forms and reports without getting into the nitty-gritty of HTML markup, and you can use them to automate form validation. Seaside has good support for AJAX. You can put asynchronous controls in your application without writing a line of Javascript.

Web developers will notice that something is missing from Seaside: support for page templates. Other web frameworks allow a developer to mix special tags in with a static HTML page, which gets processed by the framework on the server side and is converted into standard HTML when it’s sent to the client. All dynamic pages must be written in Smalltalk. It’s possible to inject Javascript and CSS into a dynamic page, using Seaside’s functions, but it can’t be laid out by a designer onto a template page. They must be set up as strings within your Smalltalk code, as part of the whole Seaside application. Of course, static pages can be set up as such without the need to use the Seaside framework.

This was disconcerting to me at first. As I read about packages like Mewa and Magritte, though, I realized that they do the job that I used to do in page templates. Where this way of doing things could conflict with project operations is if you normally have a page designer set up this sort of stuff.

Edit: I had just barely gotten this posted when Ramon Leon of On Smalltalk pointed out that I was not entirely clear in explaining myself! It is possible to do CSS programatically in Seaside, as he explains here.

Development Tools

Edit 10/12/06:

Forgot to mention, you can use Squeak’s class browser and debugger to write your Seaside code.

Seaside is written in the spirit of Squeak. It implements “halos” like the Squeak UI does. You can turn them on inside your web browser while running your Seaside project, and do some manipulations of things onscreen. You can take a visual element in the browser window and have it bring up a web version of the Squeak class browser in another instance of your web browser, so that you can examine and change the code, without having to stop the application. Class browser, web browser… I know! The terms can get confusing! Smalltalk had the term “browser” first. It wasn’t meant to confuse people. The point is you don’t have to have access to the Squeak GUI to make minor changes to the application.

From what I understand these development features can be turned off when you deploy your app.

Logistical considerations

Hosting: Hardly any ISPs offer hosting for Seaside. I found one solitary Seaside host on the web at http://www.seasidehosting.st/. To boot they do not host commercial sites, or databases. So if you’re wanting to set up a business app., or one that requires quick lookup of lots of data, your only option may be to either work with a hosting company that’s flexible, that will allow you administrative latitude, since they probably don’t know about Seaside, or host the site yourself.

What about using a database? Squeak can interface with external resources, and this goes for databases as well. There are MySQL and PostgreSQL drivers that run in Squeak and interface with those database systems. There are several drivers for object oriented database systems, though the databases run outside of Squeak. There’s even an object-oriented database written entirely in Smalltalk, called MinneStore, so you can run it inside of Squeak.

(Update 9/23/08: Ramon Leon has written his own persistence framework in Squeak called SandstoneDB. He wrote it as a way of advancing the state of the art in web site development. He found some things about object databases wanting.)

How does a web server interface with Seaside? I’ll put up a separate post about this later. After doing some searching on the web I found one guy who was trying to get IIS to work with it. I think he managed to do it.

There are some hurdles to overcome, but from what I hear, the rewards are worth it. I’ve only read about it at this point.

Made here, used in Europe

This is going to sound like trivia, but it was striking to me. Squeak was written in the U.S., perhaps with contributions from abroad, and Seaside was written by a Canadian (apparently–Avi’s site is in Canada). Just about everyone I’ve seen who’s using these technologies are European, though I have found some American Squeak/Smalltalk bloggers. Most of the major sites are hosted in Europe (I’ll explain more about them below):

Squeak.org, the official site for Squeak, is hosted in Germany

Squeakland.org, an educational site for Squeak, is hosted in Germany

Seaside.st, the official site for Seaside, is hosted in Switzerland

lists.squeakfoundation.org, the Squeak/Seaside mailing lists, are hosted in Germany

smalltalk.org, a Smalltalk evangelism site, is hosted in Canada

The SqueakMap site is hosted in Germany

SeasideHosting.st, the one public hosting service for Seaside, is based in Switzerland

I’m not saying there should be no participation in Europe. I just think it’s striking that there doesn’t seem to be that much use of this technology in the U.S.

In contrast, all the major Ruby on Rails sites are U.S.-based.

Flies in the ointment

I can’t give you an honest assessment of Squeak and Seaside without also talking about its weaknesses.

A glaring weakness, IMO, is how disorganized the Squeak/Seaside community is, in terms of web presence. There are a few Squeak/Smalltalk/Seaside “central” sites that seem to be the “places to go” to start finding out about it, but they’ve got broken links all over the place. Just the other day I checked THE central site for Squeak, http://www.squeak.org, and it was down. The main Squeak sites were down just a week ago, before they were brought back up again.

There are also Squeak developers and users who are up in arms over how its continued development is being handled. I talked to the author of a book on Squeak’s architecture and multimedia features recently, and he said he had given up on it. Apparently the multimedia features have been getting broken by the modifications the Squeak development team has been making to it. He recommended if people are going to use EToys or Squeak’s other multimedia features that they get Squeak Version 3.2 and stick with that. That’s the last version where all of these features worked.

Seaside apparently works fine with Version 3.8, the latest release marked “stable” as of this writing.

Apparently what the development team is trying to do is modularize Squeak, so that developers can downsize it if there are features they don’t need. I understand the impulse to do this, but I wonder if it was designed the way it is on purpose, and that perhaps something is getting lost by trying to split it up. You know, techies complain about how everything is integrated in Microsoft Windows, and they wish it was more modular, but integration creates certain advantages and disadvantages. People should do a cost/benefit analysis on it before dismissing this model. It may have been better to start from scratch than to try to make Squeak something it’s not.

Resources

The Squeak system itself has pretty good documentary support. There were a few books written on Squeak specifically several years ago. You can find them at Amazon.com. There’s only one that’s been written recently, targeted at programming for children, called “Squeak: Learn Programming With Robots”. It’s not about using Squeak to program real robots, just virtual, graphical “robots” inside the Squeak environment. It’s more akin to turtle graphics in the Logo language. In addition, there are several free online books on the Smalltalk language.

I was kind of amazed to find this, but apparently there’s a Squeak-.Net Bridge package you can get.

Some words of advice:

Don’t get discouraged by broken external links. You’re going to run into a lot of them on Squeak-related sites. Even if they appear broken now, they may come back to life later. The same goes for the links on this blog post (though I can’t vouche for the links on the pages I refer to). Last I checked, all of my links worked.

Some features you may see demonstrated in the videos may no longer exist. One screencast on Google Video featured page templates in Seaside. Yes, they once existed, but they were taken out later.

Sometimes the main Squeak sites, like squeak.org, go down. It’s been happening some lately. If they are down, don’t worry. They will be back up again eventually.

Online resources for Squeak and Seaside, in no particular order:

Squeak.org – This is the official Squeak site. You can read a little about it here, and download official releases.

Squeakland.org – This is the educational site for Squeak. There are some online Squeak demos you can try out. You’ll need to install an ActiveX control, or perhaps a plug-in for your browser, since they run inside of a web page. I haven’t found this add-on yet, but I hear it’s available for download on this site.

Seaside – This is the official Seaside site. If you click on the “Download” navigation link there, you’ll get access to Squeak image files that have everything you need to get started with Seaside (so you don’t have to put together the needed components yourself), plus a little instruction on how to get the Comanche web server (a component called WAKom, written in Smalltalk) started.

Learning Seaside – A blog written by Ian Prince on his experiences in learning Seaside, among other things.

The terse guide to Squeak – This is similar to Quick Reference for Squeak, except it’s an HTML page. It briefly documents the standard Smalltalk types and how to use them.

The Seaside mailing list – Hang out where the knowledgeable people are. Discuss/ask questions about Seaside. You’ll need to subscribe first. Posted messages are sent to your e-mail address.

The Squeak Beginners mailing list – New to Squeak? Ask your questions here. It was pointed out by gcorriga of The Weekly Squeak that you can subscribe to this list and receive messages posted by others in your e-mail, or you can just e-mail your questions to the list, without subscribing, but your messages will be run through a moderator (to get their approval) before they are posted for everyone else to see.

Smalltalk.org: the learning page – This is an evangelism site. It talks about all things Smalltalk. I’m directing you to the learning page here. It has a bunch of links to some good resources. Check out some of the navigation links to other parts of the site. I found the “Articles” page particularly interesting.

SqueakMap – Once you get familiar with the Squeak environment, check out this site. It’s a comprehensive database of Squeak packages and projects. Some of them are the ones I’ve mentioned in this article. Apparently SqueakMap is similar to the Gems utility/service in Ruby. I’ve used the site, but you’re supposed to be able to use it inside of Squeak as well, to easily download and install packages, and updates to ones you already have.

Other Smalltalk Implementations

One last note. Just today I found Cincom Smalltalk. It’s a commercial development environment, but they have a free developer’s license. Like Squeak, it’s cross-platform compatible. It works on Windows, Mac OS, Unix, etc. It has .Net, COM, and C integration packages. You can use it to develop GUI and web applications, and web services. Pretty neat! You may see sites or people refer to VisualWorks. They were bought by Cincom, and the VisualWorks product has been integrated into Cincom Smalltalk.

There are many other Smalltalk implementations out there, amazingly enough. It seems to be a relatively small community. I think there are about 8 different implementations.

I’ve run into this issue many times. I read messages from technicians who often complain about how they clean up their customers’ infected Windows XP computers, and before they know it they’re infected again. I’ve been able to run Windows XP for years without catching a single worm or virus. I’ve done it by following some techniques borrowed from my days as a Unix user.

Windows XP has security capabilities built in that apparently a lot of people don’t know about. In this entry I will be discussing them.

Steps you should take to secure your computer:

Make sure the file system you are using is NTFS, not FAT32. The difference is that NTFS enforces user-level security on your folders and files. FAT32 does not. NTFS is an arrow in your quiver against malware, because under the right circumstances it will disallow malware from installing itself just anywhere it wants. If it doesn’t get installed, it has less of a chance of doing mischief.

Install SP 2, if you haven’t done so already (Update 8-20-2009: Now what you should get is SP 3. It probably contains all SP 2 updates, so you shouldn’t need to install both, though you will likely go through the same process described here). The main thing I noticed when I installed Service Pack 2 was that XP warned me whenever I tried to open a file that came from the internet. It also set up other warnings, like whenever I try to open an attachment from an e-mail in Outlook/Outlook Express. It gives me a “second chance” to recover from an action I have taken that could result in damage to my system.

Create a limited account and use it to run your web browser and e-mail client. This ties in with using NTFS. When you run programs under a limited account, XP runs the program in a more restrictive environment. It only allows the program to write files to certain locations, and the program has read access, but not write access to the system registry. A piece of malware could still potentially cause harm, such as corrupting or deleting personal files that the limited account has access to, but doing this makes it more difficult for malware to infect your system. This is important because so long as it can’t “implant” itself somewhere, you don’t have to worry about trying to get it off your system.

Make sure you have a firewall activated. XP comes with its own firewall, but there is free third-party firewall software for Windows, as well as commercial firewalls you can buy. There is no excuse for not having this protection. It is readily available. Having this active makes it more difficult for internet worms to exploit a vulnerability in your system.

Update, update, update. Microsoft sometimes finds vulnerabilities in XP and releases what are called “patches” for it. These are system updates that plug these discovered vulnerabilities. It’s a good rule of thumb: The sooner you put the plugs in, the less vulnerable you will be. Hackers have been getting faster and faster at exploiting vulnerabilities that have been discovered. It’s an arms race of sorts. Set up Windows Update in a way that works for you, and let it protect you.

Update Microsoft Office. Microsoft sometimes finds vulnerabilities in Office that could allow an attacker to mess with your system. They release patches that are specifically for your version of Office to plug these holes.

Ed Bott at ZDNet wrote an article recently on a method he’s used to secure other people’s Windows XP computers. He covers some of the bases, and he has some good ideas.

Here is my own take on how to secure your system. Take these steps when you think you won’t be using the computer for a few hours. This could take a while.

I’ve divided the article into sections that talk about different features of XP that should be set up in order for you to run XP securely. Each section is, for the most part, broken up into two sections: check if a feature is already set up correctly, and then if not, how to set it up.

Each section starts with the assumption that you have logged into a desktop session as an Administrator. This shouldn’t be a problem for most people. The name on the account can be anything, but you need to have administrative privileges to do these things. If you’re an average XP user, you’re logged in as Administrator whenever you log in to get to the desktop:

Are you using NTFS?

Go to your C: drive in Windows Explorer or My Computer, right-click on it, and select “Properties”. Look at the “File System:” designation. If it says “NTFS”, you do not need to convert it. It’s already NTFS.

Convert your file system to NTFS

If you have a FAT32 file system it’s best to convert it to NTFS. Your programs will still run. They won’t know the difference. The only program I’ve seen that has a bit of a problem with NTFS is my copy of Partition Magic (I think it’s Version 6), which is a system utility.

Note: I’m not sure about this, but my guess is that Windows needs some free disk space to do the conversion. If your C: drive is pretty full, I’d wait until I could find a way to free up a gigabyte of space before proceeding. I’m sure that the process will need to move some data around in order to do the conversion. That’s just my unprofessional opinion.

First of all I’d check to make sure there are no errors on C:. If you have the C: drive’s Properties screen up already (if not, refer to my note about “Are you using NTFS?” for how to bring it up), select the “Tools” tab, and click on the “Check Now” button in the “Error-checking” box. A dialog box will come up.

Just to be safe I would select both check disk options: “Automatically fix file system errors” and “Scan for and attempt recovery of bad sectors”. Hit the “Start” button in the dialog box. It will tell you that you need to reboot. Go ahead and do this. It will do the error check on reboot. Once it’s done it will bring you back to the login screen.

Note: If you have your system set up to boot multiple partitions, be sure to select the operating system that you are using now from the boot menu.

At the login screen log in to an account with administrative privileges. Converting the file system to NTFS is pretty easy to do. Click on the Start menu and select “Run…”. This will bring up a small dialog box. In the box labeled “Open:” type:

convert C: /fs:ntfs

That’s it. Windows will tell you that you need to reboot. When you reboot it will begin the conversion process, after which it will bring you back into Windows and the login screen.

Note: If you have your system set up to boot multiple partitions, be sure to select the operating system that you are using now from the boot menu.

Do you have SP 2?

Click on the Start menu, go to your Control Panel, and select System. Under “System:”, in the “General” tab, Windows will tell you what version of XP you have installed. If it says somewhere in there “Service Pack 2”, you have SP 2 already. If you do not see this, you do not have Service Pack 2 installed.

Installing SP 2

SP 2 should be available from the Windows Update site.

Click on the Start menu, select All Programs, and select Windows Update. When you get there select “Custom” (rather than “Express”). Have it scan your system for suggested updates. SP 2 should show up either under the “High Priority” or “Optional” update lists. You can select these lists from the “Select by type” menu on the left-hand side of the Windows Update page. Note: “High Priority” and “Optional” only show up as options after you have let it scan your system for updates.

The update should show up as something like “Windows XP Service Pack 2”. It’s large and will take a while to download and install, so be patient with it.

If you are concerned that SP 2 may cause software compatibility problems, the installer will allow you to select an option at some point during the installation process that says something like “Allow me to uninstall SP 2”. This will cause it to create a backup of your existing system files, and it will put an entry for it under Add/Remove Programs (which is under Start|Control Panel). This way, if it causes problems for you, you can revert the system back to the way it was, by uninstalling SP 2.

Given the security benefits though, I would try to find a way to make SP 2 work on my system. If that means upgrading some software, or using alternative software that works better with SP 2, I’d suggest doing it. It’s worth not having the headaches.

Do you have a limited account?

Unless you’ve already gone through the steps to create one, you probably don’t have one. If you do have one, just use that as the account you use for accessing the internet. I’ll explain more about this below.

Creating a limited user account

This is an important step. Even if you do all the other things to secure your system, there’s still the possibility that you’re open to some attacks. New vulnerabilities are found in Windows frequently, and it can take Microsoft some time to come out with a fix for them. You can create what’s commonly called a “sandbox” around the programs you use that access the internet. You do this by creating what’s called a “limited account”.

Click on the Start menu, select Control Panel, and then select User Accounts. This will bring up a User Accounts screen.

Select “Create a new account”. Type a name for the new account. I’ll call it “Internet”, but you can call it what you want. Click the “Next” button.

It asks you what permission level you want for the account. Select “Limited”. Click the “Create Account” button.

Okay! We’re almost finished here. User Accounts will take you back to an earlier screen, where all accounts on your computer are listed.

Select the “Internet” account (or whatever you called it).

This will take you to an account options screen. Select “Create a Password”.

Type in a password for the limited account. It will ask you to type it in twice: once in the box labeled “Type a new password”, and again in “Type the new password again to confirm”. This is done to make sure you typed the password the way you intended. If you like, you can also put in a hint for the password, in “Type a word or phrase to use as a password hint”. This is optional. This is just something you can use to jog your memory if you forget the password. Click the “Create Password” button.

Using your limited account

So what do you use it for? Limited accounts have limited privileges in your system. When you are logged in under the limited account, you don’t have write access to system files, and you don’t have write access to the registry, and neither do any of the programs you use under this account. These are the places where malware likes to install itself. A neat feature of Windows is you don’t have to switch accounts every time you want to access the internet, or use the software you have installed.

The way I do things is whenever I want to use my computer I log in as Administrator, and run my non-internet software as usual. But if I want to use e-mail, use my web browser, or use any software that accesses the internet, I usually configure them to run under the limited account. How do I do this? I’ll use your web browser as an example.

Go to the icon you usually use to open your web browser. This could be on the desktop, the Quick Access bar, or under Start|All Programs. It doesn’t matter which, go to the icon for your browser, and right-click on it. Select Properties.

Click on the “Advanced…” button

This brings up a dialog box, usually with only one option accessible. Select “Run with different credentials” and click on the OK button.

Click OK on the Properties screen.

Now, left-click on the same icon you right-clicked on earlier. Now a new dialog box comes up, called “Run As”, asking, “Which account do you want to use to run this program?” It gives you two options: “Current user” or “The following user”. Usually I pick “The following user:”. That’s what we’ll do here.

Select “The following user:”. This will highlight the current user’s user name. Type “Internet” (or whatever name you used for the limited account you created) in the box labeled “User name:”.

Then type the password that you assigned to the limited account, in the box labeled “Password:”. Hit the OK button.

Your browser is now running, but it’s running under the limited account you created.

You’ll probably notice that none of your bookmarks or favorite sites show up when you look for them, and that the browser is running under a default configuration. This is because the browser literally thinks it’s running under a different account, not the one you usually use. This only occurs if you just created the limited account. If you’re using a limited account you created before reading this, you’ll see any options and bookmarks that have been set/created in that account.

Windows XP divides up configuration files for different users into different sets of folders. So all of your bookmarks and browser options that you set before still exist, just under the account that you’ve been using for a while. Since the limited account, in this example, is new, it doesn’t have any of your settings yet.

This will be true for most of the software that you do this with.

All software configuration files and bookmarks are stored under “C:\documents and settings”. Each user has their own folder under this one. Under their folder, their configuration data is typically in their own “Application Data” folder. In Application Data there are sub-folders where each piece of software stores its configuration data. It’s possible to copy this data from one account to the other, just by copying it between the <user>\Application Data folders (substitute a user name for <user>). Favorites/bookmarks can be transferred the same way, but they’re either in a folder under <user>\Application Data, or in the user’s “Favorites” folder, depending on the browser you use.

Issues with this approach

A side-effect of running your browser under a limited account is any program that is activated from your browser will also be run under the limited account. For example, if you go to a site that contains online audio or video, which brings up a player, that player will be run as the limited user. This is good, as this will seamlessly insulate you from possible security threats that other internet-enabled software can bring in. However, I’ve noticed this can cause problems with Windows Media Player, particularly since I got a Pocket PC and had to set up ActiveSync. ActiveSync 4.0 only runs properly as Administrator, but Windows Media Player insists on activating it whenever it’s run, even if from a browser. This causes WMP to crash. The exception is the ActiveX Media Player control, which runs inside the browser window. It runs with no problems. You can’t control which gets run. The people who created the page control that.

Windows Media Player used to run just fine under a limited account. It didn’t start crashing until I installed ActiveSync. Nowadays when I want to play streaming video from a web site I use RealPlayer. I’ve had no problems running it as a limited user. I can use WMP from the desktop for playing video files.

Edit 10/12/06:

A special note about files you download through your browser, or upload from your browser: account privileges count here too.

If you run your browser from a limited account, any files you download through it will be saved with limited account privileges. There may be directories on your hard drive you cannot save to, because they are limited to Administrator access. If you save anything to My Documents through the browser, it will save the file to the limited account’s My Documents folder, not the My Documents folder of the account you logged into to get to the desktop. If you save a file and don’t find it under My Documents, look under C:\Documents and Settings\<limited account name>\<limited account name>’s Documents, substituting <limited account name> with the limited account name you set up earlier.

If you are uploading a file, you may receive an error message saying that it can’t access it. If you created the file using an application as the user you logged into the desktop with (presumably as Administrator), the file may not give access privileges to the limited account. In this case, right-click on the file, select Properties, and then select the Security tab. See if the name of the limited user account shows up in the “Group or user names:” list. If it’s there, make sure the Read permission is set under the “Permissions for <limited user account name>:” list, and click the OK button. Uploading the file should work after doing this.

If the name of the limited account is not in the “Group or user names:” list, click the “Add…” button, type the user name of the limited account in the text window, and hit the OK button. Select this user in the “Group or user names:” list and make sure it has the Read permission set in the “Permissions for <limited user account name>:” list. Then click OK. The upload should work after doing this.

Exceptional situations

I think on one occasion I had to install an ActiveX plug-in through my browser as Administrator, because it would not do so as the limited user.

I do this reluctantly, but sometimes I have to. There have been times when I have to access a web site as Administrator (on Windows). In these cases, I just select “Current user” (Administrator), when the “Run As” option dialog shows up. There are web sites which won’t run properly if I’m running my browser as a limited user. I saw this when I was planning a trip and shopping for a rental car. A few of the rental car sites would not run properly. This could be the fault of IE as well. If I used a different browser like Opera or Firefox, maybe these problems would go away. Even if I was using them, I would still run them under a limited account. They’ve had their security issues as well from time to time. It’s just a good policy to have.

There are times when I can’t run my browser as a limited user even if I wanted to. I have desktop search installed. Sometimes I have trouble finding a web link I’ve saved. So I search for it in desktop search. I can click right on the link when I find it, and bring it up in my browser, but it brings up the browser as Administrator. It’s not the best situation, and I have to admit I don’t run a totally tight ship.

I have run into occasions when I’m running IE as a limited user where it starts hogging the machine. Everything else slows down. IE may even lock up. I’m not sure why. When this happens I have to go into Windows Task Manager and shut down one of the instances of IE I have running, whichever one is screwed up. This doesn’t happen too often.

Do you have a firewall activated?

There’s a little more configuration to do.

Windows XP has a software firewall built in. Here’s how you can check to make sure it’s activated.

Click on the Start menu, select your Control Panel, and then select Windows Firewall. If it is not on, check and see if you have a third party firewall activated. Some antivirus software comes with its own firewall, and may have turned off Windows’s firewall (it’s better if you don’t have two of them running at the same time). The thing about this is the third party firewall may not even be called a firewall. For example, the version of Norton Antivirus I have installed comes with a firewall, and it’s called “Internet Worm Protection”. This is a good common sense name for it, since that’s typically what a firewall is used for: to protect against internet “worms”. Just saying that you may have a firewall running even though it’s not called “firewall”.

If you have a third party firewall activated, don’t worry about the Windows firewall. The third party one is probably better. If, however, you know of no active firewall, make sure the Windows firewall is turned on.

If you’ve just turned the Windows firewall on for the first time, check out the “Exceptions” tab on the Windows Firewall screen. If there are any programs you know need internet access to function, give them an “exception” to the firewall restrictions by putting a check by their name in the list.

When you’re done, click the OK button.

Are you up to date with the updates?

Checking this is easy. Click on the Start menu, select All Programs, and select Windows Update. When the Windows Update page comes up, select “Express”. Wait for it to finish scanning your system. If there are any critical updates you need to get, it will show them to you right up front. If any show up, click on “Review and install updates”. This will take you to a second screen. Select “Install updates”. This will start the process of downloading and installing the updates. Some updates may require you to reboot. If this happens, go ahead and reboot your computer. Once it comes back up, log in as a user with administrative privileges and go back to Windows Update, repeat the process described here, and see if any more critical updates come up. If so, start the install process. Sometimes an update that causes a reboot is a necessary prerequisite for other critical updates. You’re not downloading and installing updates you already got. They’re just ones that weren’t ready to be installed before the previous update.

If no critical updates show up, you are up to date!

Get critical updates automatically

You can set up Windows Update to check for and install updates automatically from here on out. Here’s how to set it up.

Click on the Start menu, select Control Panel, and then select “Automatic Updates”. This will bring up an Automatic Updates screen. If you have never been to this screen before, it should already be set to “Automatic”. If it’s not set to that, set it to “Automatic”. You can set when you want it to check for and install updates, like the day of the week, and the time of day. Make sure you set it to a time when the computer will typically be turned on. It will not automatically update if the computer is in standby mode or powered off. When you’re done, click the OK button.

Office updates

Updates are available for Microsoft Office, too. Even if you just have Microsoft Word, you can still gain security benefits from them. You get them by going to Windows Update and clicking on “Office Family”. This will bring up a new browser window, going to a different site, for Microsoft Office. Once there, click on “Check for updates” in the box labeled “Office Updates”. It will scan your Office installation and see if you need any updates. It’s best to just install all the ones it suggests.

New – Microsoft Update – Get all critical updates automatically

There’s an add-on available for Windows Update from Microsoft, called “Microsoft Update”. It’s free. It automatically finds any Microsoft software you have installed, system and applications, and if there are any critical (security) updates available for them that you don’t have, it will download and install them for you. This way you do not need to check for critical updates for Windows and Office separately. It will handle both, and it will use your settings in “Automatic Updates” (under Start|Control Panel) for doing that.

You can get Microsoft Update from the Windows Update web site. Go to Start|Control Panel|Windows Update. You will see one or more links to “Microsoft Update” either on the home page, or on the results screen after you have had Windows Update scan your computer. Just click on one of the links and follow the onscreen instructions. It will install a new ActiveX control on your system, and you will be all set.

Finally!

I’m sure you’re saying, “Gosh this seems like a lot of work to secure my system.” It is, but this is just the initial setup. Once you have everything set, all you really need to do from now on is run your internet-enabled software under the limited account. That’s it. Everything else is set up to protect you automatically. Assuming you have cleaned your system already of any malware (or have been lucky enough not to get it in the first place), you should notice that your virus and spyware scans come up clean from now on.

From what I’ve been reading this will get better with Windows Vista, the new version of Windows Microsoft is planning on having out by January next year (for consumers–earlier for businesses). Microsoft is really trying to design in security with Vista, so users won’t have to jump through hoops to get it.